Introduction

AWS CloudTrail is a powerful tool that facilitates risk audit, compliance, operational audit, and governance of your AWS account. With its ability to detect unusual activity, it simplifies operational analysis and troubleshooting. Administrators can easily configure CloudTrail to monitor user activities and track event history, providing peace of mind.

This comprehensive solution comes packed with features, including validation of log file integrity stored in Amazon S3 buckets, data events for resource insights, management events for administrative actions, and CloudTrail Insights for identifying any suspicious activity within your AWS account. Integration with CloudWatch Events, CloudWatch Logs, and Amazon S3 bucket further enhances its capabilities, enabling automatic responses to changes and invocation of Lambda functions.

In an organization, AWS CloudTrail becomes an invaluable tool, allowing you to log, monitor, and retain account activities, making it effortless to identify and respond to any malicious activities by users. Safeguard your AWS infrastructure and gain better control with AWS CloudTrail - your ultimate security partner.

Lab Objective

In this lab, you will be shown how to utilize AWS CloudTrail to observe the account activities and events related to the services available within the AWS account.

Lab Tasks

Before starting this lab, it is assumed that an EC2 instance is deployed

• Deploy an Ec2 instance using free tire resources.

Use this as a Guide to deploying an EC2 instance

• Sign in to your AWS Management Console and navigate to the IAM Dashboard by searching for IAM at the top Searching box.

• On IAM Dashboard, click on Users from the left pane under Access Management, and at the top right click on Add Users to create a new user.

• On Create User Page, under User details, enter any name of your choice. (Here, D3m0) as the username. Check the box “Provide user access to the AWS Management Console - optional” and next, check the radio button “I want to create an IAM user”, Retain default settings for For Console password, then Uncheck Users must create a new password at next sign-in - Recommended and click Next.

• On the Set Permissions step, select Attach Existing policies directly. Type AmazonEC2ReadOnlyAccess in the Filter policies field. Select AmazonEC2ReadOnlyAccess from the dropdown. Click on Next

• On the Review and Create step, Review settings and click on Create user

• The user (D3m0) is successfully created. Click on Show to view the Password. Copy and paste the username and password to notepad or sticky note. Or click on Download .csv file Then, click on Return to users list button

• On the IAM User page, the new user will be displayed

• Navigate to IAM Dashboard from the left pane, copy the IAM user sign-in URL and paste on Google Chrome incognito address bar window and press Enter. (Shortcut Ctrl + Shift + N)

• On the Sign in as IAM user page, enter the user credentials of the new user you created (here, D3m0 ) and click on Sign in.

• On the AWS Management Console for D3m0 User, search for EC2 from the top search box.

Recall that while creating the IAM User account for D3m0, the AmazonEC2ReadOnlyAccess policy was Attached directly to it. Hence, User D3m0 can only perform Read-Only on the EC2 service.

• On the EC2 Dashboard, click on Instances (running) under Resources.

NB: If you not seeing the instance deployed on D3m0 Account, change your region to the Ec2 instance that was deployed in your root account.

• On the Instances page, select the instance and click on the Instance state dropdown menu. From the dropdown menu, choose Stop instance.

• Next, you get a confirmation pop-up box for Stop Instance?, click on Stop.

• You will see the Failed to stop the instance message. The user D3m0 does not have permission but has tried to stop the running instance. Close incognito window

• Next, Switch to your root user account to monitor the activity of the user D3m0. From the top search box, search for CloudTrail.

• On the Amazon CloudTrail dashboard, click on Create a Trail.

• On the Quick trail create page, type Trail name as users-activity and click on Create Trail.

• The trail has been successfully created. Now, click on Event History on the left navigation pane to view the user activity.

• Click on the Lookup attributes dropdown and select Username from the list and enter the username you created (here, D3m0) and click the refresh icon, as shown in the image below.

• The list of events will be populated against the user (here, D3m0). Navigate to the StopInstances event and click on it.

• You can see the event details here. The Error code attribute shows the user does not have permission to stop an instance but has tried to stop the running instances.

This way, a cloud security engineer can monitor any unusual user activity with the help of AWS CloudTrail.

Deleting Created Resources

Please make sure to delete, shut down, or terminate all resources created and utilized in this lab to avoid incurring any charges.

• Now delete the instances created in this lab. Navigate to the CloudTrail dashboard and click on the Trail created in this lab (here, users-activity). Click on the Delete button. In the pop-up window, click on the Delete button.

• Navigate to the Users tab under the IAM console and select the checkbox for instance created in this lab (here, D3m0). Click on the Delete button. In the pop-up window, enter the user's name and click on the Delete button.

• Navigate to the Instances under the EC2 console and select the checkbox for the instance created in this lab. Select the Actions dropdown and click on Terminate instance. In the pop-up window, click on the Terminate button

• Navigate to Security Groups under the EC2 console and select the checkbox for the instance created in this lab (here, launch-wizard-1). Select the Actions dropdown and click on Delete security group. In the pop-up window, click on the Delete button.